Financial giant Capital One said that personal information of an estimated 100 million Americans was accessed during a data breach that lasted from March to July. The hacker, 33-year-old Paige Thompson, was arrested after posting information bragging – somewhat recklessly – about her hack on the popular coding platform GitHub and other social media. Thompson is a software engineer who formerly worked for Amazon Web Services, which hosts the Capital One database that was breached. It is one of the largest known data breaches of a financial institution, behind the 2017 hack of Equifax that left nearly 150 million records vulnerable.

From Facebook to Capital One — everything you wanted to know about data breaches and hacks, but were afraid to ask

by: Quentin Fottrell

Millions of Americans are wondering, ‘Was my data breached in the Capital One hack?’ Here’s what you should do next

The hacker also stole the names, addresses, phone numbers, dates of birth, credit scores and other financial data, Capital One said.

Capital One Financial Corp. announced late Monday that more than 100 million people had their personal information hacked.

The hacker got information including credit scores and balances, ZIP codes, email addresses, dates of birth, self-reported income and payments history, fragments of transaction data, plus the Social Security numbers of about 140,000 customers and 80,000 bank-account numbers from credit-card customers, the bank said. It will offer free credit-monitoring services to those affected. Consumers and small businesses who applied for Capital One credit cards from 2005 through early 2019 are most at risk.

Capital One couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers. Over that time, it sought help from law enforcement.

The hack affected about 100 million people in the U.S. and 6 million in Canada, Capital One COF, +0.92% said. The company couldn’t say for sure whether the leaked data was used for fraud, but said it was unlikely. It first heard about the hack on July 19, but waited until July 29 to inform customers; it sought help from law enforcement to catch the alleged perpetrator.

Capital One has offered two years of free credit monitoring. However, privacy experts say credit monitoring only looks for changes on a credit report, indicating that someone is using your personal information to open new accounts in your name. But it does not prevent someone from taking out a loan in your name.

Such security precautions are unlikely to help people protect against a hack like the one Capital One announced Monday. Exposure of data that can’t be changed, such as Social Security numbers, are the hallmarks of particularly severe data breaches. Capital One said it will contact those affected by the hack through “a variety of channels,” but will not ask customers to verify any personal details such as credit card or account information, or Social Security numbers, over the phone or via email.

On the plus side: The Social Security numbers and account numbers were “tokenized,” so that information should be safe from any potential bad actors, according to Capital One. “Those numbers were replaced by unique ’tokens’ that can’t be used by anyone except Capital One,” Paul Bischoff, privacy advocate with Comparitech. “The real numbers were stored elsewhere.”

Capital One has offered two years of free credit monitoring. Credit monitoring only looks for changes on a credit report, but does not prevent someone taking out a loan in your name.

Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One address. Consumers need to be careful whenever they are contacted by an unsolicited caller. Hang up and call the number on your card.

“Much of the data that wasn’t tokenized — names, addresses, dates of birth, etc. — can still be used against them,” he added. “Phishing” scams — calls, emails or text messages that appear to offer protection — are actually trying to get more data from customers. “Victims will likely receive targeted emails from scammers posing as Capital One or a related company. These emails might address the recipient by name and include other personal information, which makes the message much more convincing.”

Attorney General of New York Letitia James said safeguards were missing in Capital One’s system to lead to a hack of 100 million U.S. consumers, and pledged to investigate Capital One’s breach. “It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?” she said in a statement.

This is the latest in a long line of data breaches, privacy violations and hacks affecting hundreds of millions of Americans. Two years after Equifax EFX, +2.68% revealed that hackers accessed the personal information of up to 147 million people, the credit reporting bureau recently announced a settlement for up to $700 million, including $425 million in relief for those who have been affected, although there are some key requirements people should be aware of before they file a claim.

Last year, Facebook FB, +2.71% announced that U.K.-based Cambridge Analytica improperly accessed 87 million Facebook users’ data. Facebook Chief Executive Mark Zuckerberg testified before Congress and vowed to do more to fix the problem, and help make sure that nothing like that happens again. Cambridge Analytica closed down in the wake of the scandal. Earlier this month, the Federal Trade Commission fined Facebook $5 billion.

WhatsApp, the messaging and audio app owned by Facebook, announced last May that hackers were able to install spyware on Android smartphones and Apple AAPL, +0.00% iPhones. “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” it said at the time.

Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One email address.

More than 57 million customers of Uber UBER, -7.63% had their data exposed by a massive hack in October 2016. Uber fired its chief security officer, Joe Sullivan, and one of his deputies, for concealing the hack, which included the email addresses of 50 million Uber riders around the world. The revelation was made a year after the attack. It also affected 7 million drivers.

Security experts generally recommend never re-using security passwords and say people should use two-factor authentication on their phones, which requires a user to enter a code sent to their phone or email into an app or website in order to log in from a new device or to change a password. They also say those affected by such hacks should freeze their credit report.

Here’s what else you should do now:

1. Check if your accounts have been affected

There still aren’t many formal ways to check if your data has been compromised in a breach. Often, the company will alert affected customers, but they aren’t required to. Some states, like California, have laws requiring companies to disclose data breaches that affect a certain number of customers, and the Federal Trade Commission has discussed proposing similar regulations. Consumers can also monitor their credit report to shut down fraudulent activity as quickly as possible.

2. Know the difference between a credit freeze and a lock

A freeze means that a consumer cannot take out a new loan or credit card without “unfreezing” the report first, but also prevents a hacker from taking out a loan in your name. Credit agencies also offer a service called credit “locking,” which offers the same protections as a freeze, but typically cost a monthly fee. Contact Equifax, Experian EXPN, +2.44% and TransUnion TRU, +3.71% to request a freeze.

3. Sign up for additional fraud protection

Those affected can also sign up for services that go beyond typical credit freezing and alert services, such as Lifelock, EZ Shield and Identity Guard. The most basic version of Lifelock costs $9.99 per month and provides benefits including address change verification, help canceling or replacing lost credit cards, driver’s licenses, Social Security cards and insurance cards, plus a “restoration team” that helps correct any identity-theft issues and black-market website surveillance.

4. Know the difference between a hack and a breach

A breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence. A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom; that’s what happened with Capital One. If your data was part of a breach, it’s possible it was just left exposed online and was not stolen.